Graylog 3.0 with Docker - Connection reset by peer

Hi, it seems I’m unable to run 3.0 in docker. I just upgraded from 2.5.1 and always get connection reset by peer.

version: '2'
            image: mongo:3
              - mongodata:/data/db
            restart: on-failure
            image: elasticsearch:5.6.13
              - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
              - elasticdata:/usr/share/elasticsearch/data
            restart: on-failure
        image: graylog/graylog:3.0
         - GRAYLOG_HTTP_EXTERNAL_URI=https://droplet.url/
        restart: on-failure
          - mongodb:mongo
          - elasticsearch
          - mongodb
          - elasticsearch
       - 9000:9000
       - 514:514
       - 514:514/udp
       - 12201:12201
       - 12201:12201/udp

Nginx conf:

location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            proxy_pass http://localhost:9000;
            proxy_redirect http://localhost:9000 https://droplet.url;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_read_timeout 90;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_set_header X-Graylog-Server-URL http://$server_name;
            proxy_cache_bypass $http_upgrade;

curl -v localhost:9000

* Rebuilt URL to: localhost:9000/
*   Trying
* Connected to localhost ( port 9000 (#0)
> GET / HTTP/1.1
> Host: localhost:9000
> User-Agent: curl/7.58.0
> Accept: */*
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

Nginx error log says practically the same thing as the curl when i try to open the url in browser.
Is by any chance the documentation not up to date? I already noticed that there is different format for the bind address, which results in container not starting if used from the docs.

Any help appreciated, lost about two hours already on this.

Have you had a look at the graylog logs? Try running docker logs graylog_graylog_1 -f (or whatever your graylog container name is)? Follow the output or redirect it to a file as you reproduce the error.

The amount of logging can be overwhelming sometimes. You could let it run for a minute and take note of the exact time to the second when you reproduce the error. This way you have a piece of log information (first minute) that will show “regular” output, and the time you recorded at which you reproduced the error.

I’m by no means an expert (just got graylog running in Docker last night) but if you find anything in those logs, share it and hopefully someone can guide you in the right direction.

Good luck!

1 Like

Thanks for taking a look, i wasn’t able to find anything that would point to an error in the logs.
It ended up with the “node going from dead to healthy” (or something along those lines) and Graylog up and running. Nothing that would point to a misconfiguration during start of the container.

I was however able to get it running, yet I don’t quite understand why.
I switched the GRAYLOG_HTTP_BIND_ADDRESS to and now things are working. I’m puzzled…

Graylog 3.0 does not support ES 5.6 - you’ll have to use 6.x :slight_smile:

Is that so?

The documentation states otherwise

Graylog 3.0 drops support for Elasticsearch versions before 5.6.x. That means you have to upgrade 
Elasticsearch to at least version 5.6.13 before upgrading Graylog to version 3.0. Make sure to read 
the Elasticsearch upgrade guides before doing that.
1 Like

Hunh okay I missed that 5.6.13 part :smiley: (still, worth upgrading to 6).

Looked at your configuration again, and the bind address and external URI all seem fine, not entirely sure there what’s causing your issues :frowning: sorry!

I copied the exact docker-compose.yml from the docs.
Then run it. It reports that graylog is up and running. No errors in the logs. Well, there is an error about connecting to elastic but that is temporary.
But there is no gui. The gui doesn’t respond at all.

Doing the change suggested above with bind address worked.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.